It’s a way to embrace uncertainty and enable success
Managing risk sounds chronically dull to many. David Nalder, who’s spent thirty years helping organisations understand and manage risk effectively, sees it differently. He views “risk” as an inherent part of success, management, performance, and decision making.
There are few things that are better at bringing down the mood in a room than a focused discussion on risk. Typically risk management is approached as a way of identifying as many things as possible that could go wrong, some pseudo-maths to calculate how likely they are to happen and the impact of them if they do happen, recording this in a risk register, and then mostly ignoring the results until governance reporting time rolls around again.
This approach stems from the various standards and frameworks that provide the theory and guidance for risk management. My experience is that theory works well in theory, but not often in practice. One-size-fits-all international standards and global “best practice” methodologies don’t consider how organisations actually work and make decisions.
Many of the organisations I have worked with, particularly in the public sector, have approaches to risk that look good on paper but struggle to make a difference in a multi-layered authorising environment, with ambiguous priority setting, fast-paced decision making, and time-poor leaders.
How You know If You Have a Problem With Your Risk Strategy (Characteristics of ineffective approaches to risk management)
- You have a full-time risk manager whose job it is to manage risk
- Risk is a separate agenda item at governance and management meetings
- Periodic (typically quarterly) meetings consider a top-10 risk report
- Risks are identified on a bottom-up basis, by middle management in a "risk workshop", and by individual business area or a programme basis
- Risks are worded solely in the negative (that is, what could go wrong or what has already gone wrong)
- Risks are mathematically scored on their likelihood and impact presented on a 5x5 heatmap
- The size of the risk register increases over time
- Risks are grouped and reported by business units, following the organisational structure and reporting lines
- Many of the risks are in fact live issues
If your organisation answered yes to any of the above, you likely have a problem. Why this matters is that these are symptoms of a risk management approach that is disjointed from day-to-day management, accountability, and decision making. If risk does not directly link to the discussion of the moment and the resulting decisions made, then it is not making a difference.
Language and human nature
Traditional risk approaches are often rigid, and they forget how people think and work. Language is everything! Language around risk is often loaded with jargon where common usage words take on specific meanings and is off-putting to the average person just trying to do their job.
People feel uncomfortable with talk of things that could go wrong (especially in areas they are accountable for). People naturally focus on commitments made, on success, and on what needs to go right to achieve this. This feels like core business. Words like “risk” turn people off while words like “success” encourage focus and effort.
Yet “risk” and “success” are essentially the same thing, with one worded in the negative and one in the positive. They both reflect uncertainty about the future, which needs to be managed well for the organisation (and them) to deliver to it’s purpose and mandate.
People come to work wanting to do a good job and wanting to succeed – both organisationally and individually. They make many decisions a day and implicitly understand the risks (and opportunities) when making those decisions. Good approaches to risk management understand this and empower people to make good decisions, with confidence, based on good information and clarity around their decision-making rights.
Essentially, the following two statements say the same things:
- If we fail to engage with mana whenua, then we will breach our Te Tiriti obligations.
- Effective and genuine partnership with mana whenua will enhance our relationships and decision making.
Which discussion would you prefer to have?
From risk to uncertainty
Risk is neither good nor bad – it is just a fact of life that reflects uncertainty about the future. Without uncertainty, there would be little incentive or opportunity to do things differently. Embracing uncertainty means focusing on positive opportunities that may emerge from this uncertainty (as well as managing the potential downsides).
Valuable conversations occur when organisations ask these questions about uncertainty:
- What matters to us?
- What could go right (opportunities) and how can we ensure this happens?
- What could go wrong (threats) and how can we prevent this from happening or respond appropriately if it does?
- What has happened (issues) and how do we learn from this?
Management, risk, and resilience
Organisational governance, leadership, decision making, operating model design, day-to-day management, operational delivery, risk management, and business continuity management are often approached as discrete activities. They are not.
Risk management and resilience are just subsets of management. All focus on success and uncertainty – they just look at things through different lenses.
An effective risk approach empowers and enables people to address the questions above in a consistent, informed, and joined-up way. Good approaches support the person to make decisions and operate in a way that’s most aligned to the organisation’s purpose and commitments.
Things like policies, procedures, internal controls, accountability frameworks, risk appetite statements, and delegations of authority sound dull and constraining. Done poorly (which many are), they are seen as static restrictive documents that people infrequently read and frequently resent.
Done well, they are empowering, providing clarity and confidence to all around the autonomy they have and parameters in which they can act.
Integrating risk into your operating model and ways of working
It continues to surprise me how many organisations do not have a simple way of describing why they exist, what they do, who does it, and how they operate. “Operating model” is a another term that is used often but means different things to different people. There are many ways to describe an operating model, but the important thing is that there is one (and this need not be more than one page) so that everyone understands where they fit into the big picture and how they contribute to it.
Where operating models do exist, few outside the top table have seen it, understand it, and use it to align their activity and decision making. How can an organisation truly manage uncertainty (risk and opportunity) effectively if there is no shared way of describing how it works?
A simple operating model allows:
- everyone in the organisation to understand the role they play and where they fit into the jigsaw puzzle
- uncertainty (risk and opportunity) to be considered across all aspects of the operating model (and the decision at hand)
- decisions to be prioritised and assessed – asking questions like “How does this investment (time, money, people, resources) deliver value and enhance or strengthen how we operate?”
- mechanisms to manage uncertainty to be built into the operating model and core ways of working.
Without an operating model view, there is a tendency for entities to think along organisational structure lines, often operating as a federation of siloed sub-entities, connected primarily by a common letterhead. This makes it hard to identify and manage risk at an entity-wide level.
Showing the link from strategy to execution
Effective risk management therefore enables a clear and transparent understanding and link between purpose, commitment, uncertainty, activity, and performance, on a top-down basis as shown below.
Risk and assurance
Half the job is understanding risk; the other half managing it effectively and being confident that what is expected is done.
There are various ways to do this. Confidence (assurance) that risks are effectively managed can come from:
- Doing it yourself: directly determining (and/or doing) what needs to be done. Typically though, these are split across multiples functions with titles such as Planning or Operations.
- Checking yourself: given that risk and success are essentially mirror images of each other, you will already have many lead and lag indicators that you are monitoring as a core part of your accountability documents and periodic performance reporting. The trick is to link these so that monitoring how you are going enables you to monitor risk – both the threats and opportunities.
- Asking others to check for you: for example, through peer reviews, investigations, continuous improvement, quality assurance, internal audits, and similar.
- Being checked by others: for example, through oversight from your monitoring agency, regulators, auditors, and so on.
Risk and performance
When risk management is thought of in terms of purpose, commitments, uncertainty, success, initiative, and achievement, then risk monitoring starts to look very much like performance monitoring.
The most effective approaches I have seen are where there is a simple one page executive dashboard that focuses discussion on the most important things that need attention. Directly linking success to indicators of success provides a view on how well risks associated with success are being managed.
A well-formed set of performance indicators, linked to things that matter to you and the outcomes you are held to, combining good lead and lag measures, is actually the best way of measuring how well risks are being managed. Be wary of over-engineering this, with whole industries based on building KRAs, KPIs, KRIs, KCIs linked to SPEs, and SOIs. This is just JGM! (jargon gone mad).
What good looks like
Bringing this all together, effective risk management demonstrates a few common characteristics:
- There is little use of the work “risk” as opposed to more meaningful words such as purpose, commitments, success, accountability, governance, uncertainty, opportunity, decision, activity, and performance.
- Risks are defined terms of uncertainty so that equal emphasis is on upside opportunities as well as downside threats.
- Risks are linked explicitly to management, oversight, and decision making.
- A simple, visual, top-down approach is used to describe risks in a way that makes this information relevant and accessible.
- Risk (uncertainty) is identified across all aspects of your operating model.
- Your core management reporting approaches provide transparency and confidence in how success is achieved and uncertainty is managed.
- Risk reporting therefore is aligned with (and becomes part of) organisational performance reporting.
- Risk management is integrated into management, so these are not approached as disjointed and discrete activities.
Risk is not a four-letter word. Risk and success are flipsides of the same thing. Risk management is therefore effectively managing uncertainty associated with what you’ve committed to and how you work.
This sounds to me like core business.
If you want to know more about the ideas expressed here, you can contact David at firstname.lastname@example.org or on +64-21 380 889